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(57) Abstract: Illegitimate use of IP addresses is 
counteracted. A network (1) includes a switch (5) with 
ports (P1,P2,P3) to subscribers (6,6A) and a port (PN) to a 
core network (2) with DHCP servers (4, 4a,4b). The switch 
includes a database (MAC1, MAC2), port numbers (PI, P2) 
and VLAN identities (VLAN1, VLAN2) for the subscribers 
(6, 6 A) and the filter has a list over trusted DHCP servers. 
Initially onlY DHCP messages from the subscribers are 
allowed. When the subscriber (6) requests (Ml, M3) for an 
IP address it is checked that it is a DHCP message with valid 
subscriber values (MAC1, PI, VLAN1). A respond (M2, 
M4) with an allocated IP address (IP 1) and lease time interval 
(Tl) is checked to come from a trusted DHCP server. If so, 
a list in the filter (9) with correct information is dynamically 
generated (MAC1, PI, VLAN1, IP1, Tl). A messsage (M5) 
from the subscriber (6) with false IP address is discarded by 
the filter. Attempts by the subscriber to use false IP address 
are counted and a warning signal is generated. 
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METHOD AND ARRANGEMENT FOR PREVENTING 
ILLEGITIMATE USE OF IP ADDRESSES. 

TECHNICAL FIELD OF THE INVENTION 

The present invention relates to a method and a device in an 
IP network, which counteracts illegitimate use of IP 
addresses . 

DESCRIPTION OF RELATED ART 

Subscribers in an IP network can use IP addresses that are 
not aquired in a legitimate way. The subscriber can use 
someone else's IP address or an IP address currently not in 
use. The subscriber, who may be e.g. an enterprise, is 
connected to a broadband island, and uses the IP address to 
identify itself on the network. If the subscriber has abuse 
intentions it is appealing to use such an illegitimate IP 
address. Abuse tracking is namely based on the IP address 
and the abuser would benefit from the illegitimate address, 
since the abuser would be more difficult to track at an 
investigation. 

In the international patent application WO 98/26550 is 
disclosed a system for allocating and using IP addresses in 
a network with subscriber systems. Each subscriber system is 
connected to a DHCP server via a cable modem. The DHCP 
server leases IP addresses to the subscriber systems and 
works in combination with a secure DHCP relay agent and a 
secure IP relay agent. When a subscriber system sends a DHCP 
request message, the DHCP relay agent adds a trusted 
identifier to the message and transmits it to the DHCP 
server. The trusted identifier, which is associated with the 
requesting subscriber system, is used by the DHCP server to 
prevent the subscriber system to access IP address leases of 
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other subscriber systems. The DHCP server also counts the 
number of IP address leases per trusted identifier and 
restricts it to a predetermined number. The system requires 
a non-standard DHCP server and subscriber system. 

5 US 6,061,798 discloses a firewall for isolating network 
elements from a publicly accessible network. All access to 
protected network elements must go through the firewall, 
operating on a stand alone computer. An proxy agent, 
specifically assigned to an incoming request, verifies the 
10 authority of the request to access a network element 
indicated in the request. Once verified, the proxy agent 
completes the connection to the protected network on behalf 
of the source of the incoming request. 

It's known in the art to prevent misuse of IP addresses by a 
15 filter in a switch, which is connected to a subscriber. A 
subscriber's data frames are filtered for illegitimate 
addresses. The filter is built up and is updated by a 
network operator. 



20 SUMMARY OF THE INVENTION 

The present invention deals with the abovementioned problem 
how to restrict the use of allocated IP addresses in an IP 
network to legitimate ones. 

Another problem is how to prevent a subscriber to use per se 
25 legitimate IP addresses, which the subsciber has obtained in 
an illegitimate way. 

Still a problem is how to prevent the subscriber to make a 
great number of attempts to illegitimately use IP addresses. 

Still another problem is that an operator has to build up 
30 and update a filter for statically allocated addresses. 
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The problem is solved by an IP filter device with subscriber 
identifications and corresponding IP addresses. Data frames 
from the subscribers have to have the correct source IP 
address to pass the filter device. The IP filter is 
5 successively updated as new subscriber IP addresses are 
used. In case of IP addresses being allocated by DHCP 
(Dynamic Host Configuration Protocol) servers, only trusted 
servers are allowed to allocate subscriber IP addresses to 
the subscribers. 

10 The IP filter is dynamically updated in the following way. A 
subscriber requests for an IP address. An address response 
with an allocated IP address from a DHCP server is analysed 
both to be a DHCP frames and to come from one of the trusted 
DHCP servers, which servers are noted on a list. The 

15 allocated IP address and its lease time is stored in the IP 
filter together with an identification of the subscriber. 
When the lease time is out the subscriber identification and 
the IP address are deleted from the filter. New subscribers 
are stored successively. Traffic from one of the subscribers 

20 has to have the subscriber's assigned IP address as source 
address to pass the filter. Attempts from a subscriber to 
use illegitimate IP addresses are counted and at a 
predetermined number of attempts a warning is generated. 

A purpose with the invention is to restrict the use of IP 
25 addresses to legitimate ones. 

Another purpose is to prevent a subscriber to use per se 
legitimate IP addresses which, the subscriber has obtained 
in an illegitimate way. 

Still a purpose is how to prevent the subscriber to make a 
30 great number of attempts to illegitimately use IP addresses. 

Yet another purpose is that the mentioned IP address 
limitations will work automatically in an environment with 
dynamically allocated IP addresses. 
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The invention has the advantage that only trusted DHCP 
servers can allocate IP addresses. 

Another advantage is that a subscriber can use only 
legitimate IP addresses obtained in a legitimate way. 

5 A further advantage is that it is possible to prevent 
repeated attempts to get IP addresses. 

Still another advantage is that a subscriber, that intends 
to misuse the network, can't make tracing more difficult by 
using an IP address obtained illegitimately. 

10 Also, advantages are that an operator does not need to 
build up and update a filter, an automated process is not 
affected by human errors and management of the system is 
cheap. 

The invention will now be more closely descibed with the aid 
15 of embodiments in connection with the enclosed drawings. 

BRIEF DESCRIPTION OF THE DRAWINGS 

Figure 1 shows a view over an IP network; 

Figure 2 shows a block shematic over a switch; 

20 Figure 3 shows a table in the switch; 

Figure 4 shows a block schematic over an IP frame; 

Figure 5 shows a flow chart for procedures in the switch; 

Figure 6 shows a block scematic over a list; 

Figure 7 shows a block scematic over a counter; and 

25 Figure 8 shows a flow chart for alternative procedures in 
the switch. 
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DETAILED DESCRIPTION OF EMBODIMENTS 

Figure 1 shows a view over a simple IP network 1. The 
network 1 includes a core network 2 which is connected to a 
service provider 3, DHCP servers 4, 4a and 4b and to a 
5 switch 5 via an uplink port PN. The switch in turn includes 
a switch engine 8 f which is connected to a database 7 and an 
IP filter device 9. The filter device is connected to 
physical switch ports PI, P2, P3 for subscribers. A 
subscriber device 6 is connected to the core network 2 via 

10 the IP filter 9 in the switch 5. The subscriber device 6 has 
in conventional manner a MAC address MAC1 and is connected 
to the physical switch port PI and to a virtual LAN VLAN1 on 
that port. Also, a subscriber 6A with a MAC address MAC2 is 
connected to the port with the identification P2 on a 

15 virtual LAN VLAN2 and the switch also has a further port P3. 

Conventional dynamic address allocation works in short in 
the following manner. A subscriber in a conventional IP 
network with dynamic address allocation wants to have an IP 
address, which he has paid for. He then broadcasts a DHCP 

20 (Dynamic Host Configuration Protocol) request. A DHCP server 
notes the request and responds with an IP address and a 
lease time interval for the address. The subscriber now can 
communicate with other subscribers or a service provider via 
the network. A subscriber with abuse intentions can acquire 

25 an IP address in an illegitimate way, which makes it more 
difficult to track him on the network. The subscriber can 
e.g. get the address from a bogus DHCP server or can himself 
write an address that belongs to someone else or is 
currently not in use. The subscriber can also behave in 

30 other unacceptable ways, e.g. request and get a great number 
of IP addresses and thereby make it difficult for other 
subscibers to get an address. 

In brief the switch 5 works in the following manner. To 
prevent misuse of allocated IP addresses the inventive 
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switch 5 is equipped with the filter 5 for IP address 
spoofing protection, that can be enabled or disabled per 
virtual LAN. The switch 5 also has a list LI over trusted 
ones of the DHCP servers, in the embodiment the servers 4, 
5 4a and 4b. The switch is configured such that, when the 
spoofing protection is enabled, ail IP addresses are blocked 
on the subscribers switch port. The only traffic allowed is 
DHCP traffic to the trusted DHCP servers, DHCP broadcasts 
and sending of ARPs (Address Resolution Protocol) . When the 

10 subscriber 6 needs an IP address he broadcasts a DHCP 
request. The DHCP servers 4, 4a, 4b read the request and 
responds with a frame, that indicates an assigned subscriber 
IP address IP1 and a lease time interval Tl for this 
address. The frame also has a source IP address defining the 

15 respective DHCP server. The switch 5 checks via this source 
IP address if the frame is sent by the trusted DHCP servers 
4, 4a, 4b on the list. It also checks that it really is a 
DHCP frame that is received. The switch 5 has stored in the 
database 7 the MAC address MAC1 of the subscriber 6, an 

20 identification of its pysical port PI and its virtual LAN 
VLAN1. The switch now dynamically configures the filter 9, 
which per subscriber includes the following values: The 
subscriber MAC address MAC1, the subscriber's port 
identification PI, the subscriber's virtual LAN VLAN1, the 

25 received subscriber IP address IP1 and the lease time 
interval Tl for the IP address. When the subscriber 6 sends 
a message the switch compares the subscriber source IP 
address in the transmitted frames with the assigned 
subscriber IP address IP1 in the filter 9 on the 

30 subscriber's port identification PI and virtual LAN VLAN1. 
With correct IP address the frames pass the filter, else the 
frames are discarded. When the lease time interval Tl is out 
the subscriber identification and the assigned subscriber IP 
address IP1 is deleted from the filter (9) . More details of 

35 the above briefly described processes will be given in 
connection with figure 5. 
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In a corresponding manner as above the IP filter 9 will be 
dynamically configured with subscriber values for the 
subscriber 6A: The port identification P2, the virtual LAN 
VLAN2, an allocated subscriber IP address IP2 and a 
5 corresponding lease time interval T2. 

Statically allocated IP adresses can in one alternative be 
written directly into the IP filter 9. In another 
alternative the DHCP servers have the statically assigned IP 
address for a subscriber. The latter makes a conventional 

10 DHCP request for its static IP address. The DHCP server 
notes the subscriber's MAC address in the request and always 
allocates the subscriber's statically assigned IP address. 
Statically assigned IP addresses of the first type can be 
used e.g. when applications on a computer can't utilize DHCP 

15 requests for an IP address. 

In figure 2 the switch 5 is shown in some more detail. The 
IP filter 9 is connected to the switch ports PI, P2 and P3 
and to the data base 7. It is also connected to the switch 
engine 8 and to a classifier 10. In the database 7 is stored 

20 the subscriber's MAC address MAC1, its port identification 
PI and the virtual LAN identity VLAN1. The IP filter 9 has a 
list over the trusted DHCP servers and also a subscriber 
table, which list and table will be described in connection 
with figure 3. The classifier 10 checks if transmitted data 

25 frames come from or to a subscriber and whether the DHCP 
message is a DHCPACK message or some other DHCP message. 
Which operations, in more detail, the respective switch part 
7,8,9 and 10 performs when the subscriber 6 makes DHCP 
requests or exchanges messages with the network 2 and the 

30 service providers 3 will be described in connection with 
figure 5. 

It was mentioned above that the filter 9 was configured with 
subscriber values. The values are stored in a filter table 
TAB1, which is shown in figure 3. In a field 31 the 
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different subscribers 6, 6A are stored with their respective 
MAC addresses MAC1 and MAC2 . A field 32 gives the 
subscriber's port number PI respective P2 and a field 33 
gives the identities VLAN1 respective VLAN2 for the 
5 subscriber's virtual LAN:s. In a field 34 the subscriber IP 
addresses IP1 respective IP2 are written and in a field 35 
the address lease time intervals Tl respective T2 are 
written. In figure 6 is shown a list LI having fields 61 , 
62, 63 for the respective trusted DHCP servers 4, 4a and 4b 
10 with their IP address IP4, IP4a and IP4b. 

The communication in the network 1 is performed in 
accordance with the TCP/IP Seven Layer Stack. In figure 4 is 
shown an Ethernet frame FR1 according to the standard 
IEEE802.1q. The frame has a field Dl for a destination MAC 

15 address and a following field SI for a source MAC address. 
It also has a field TY2 indicating that VLAN is in use- A 
field VL1 points out which virtual LAN that is concerned by 
a virtual LAN tag. In the present example this tag is the 
virtual LAN identity, exemplified by the identities VLANl 

20 and VLAN 2 . The frame includes a field TY1 for defining a 
type of Ethernet frame. A field EPL1 contains the Ethernet 
payload including an IP header IPH with source and 
destination IP addresses, the lease time interval and the 
message that is to be transmitted. 

25 Figure 5 is a flow chart describing an embodiment of 
different tasks that the switch 5 performs. In a block 501 
the switch receives an incoming frame and this task is 
denoted by (1) in the block. In a block 502 a task (2) is 
performed, including checking from where the frame comes. 

30 The switch has both the subscriber ports Pi, P2, P3 and the 
network port PN, and it is checked oh which type of port the 
frame is received. 

In an alternative 503 the incoming frame comes on one of the 
subscriber ports PI, P2 or P3. In a block 504 then a task 
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(3) is performed, including a check whether the frame is a 
DHCP message. This is checked by checking the source and 
destination port numbers in the UDP message, given that the 
system is restricted such that only DHCP messages may use 
5 port 67 and 68. If the DHCP message check fails it implies 
that someome is using ports 67 and 68 and the message is 
discarded. If the frame is found to be a DHCP message, 
according to an alternative YES1, the frame is accepted by a 
block 505. This block performs a task (6), which includes 

10 that the frame is forwarded and in this case forwarded to 
the core network 2. If the frame is not a DHCP message, 
according to an alternative N01, a task (4) is performed in 
a block 506. The task (4) includes a check whether a frame 
source information is valid. It is checked that the layer 2 

15 source MAC address, the layer 3 IP address, the lease time 
interval and in actual cases the identification of the 
virtual LAN are all valid on the actual port. In the present 
embodiment it is in other words checked in the table TABl 
that the MAC address MAC1, the IP address IP1, the lease 

20 time interval Tl and the LAN identification VLAN1 are valid 
on the port PI. In an alternative N02 the check task (4) 
shows that the source information is not valid and in a 
block 507 a task (5) is performed which implies that the 
frame is discarded. In an alternative YES2 for the block 506 

25 the source information is valid and the frame is accepted in 
the block 505 by performing the task (6) . 

The block 502 has the task (2) by which it can in an 
alternative 508 detect that the frame comes from the core 
network 2 on the port PN. In a block 509 a task (7) is 

30 performed, which includes the check wheter the frame is a 
DHCP message. In an alternative N03, when the frame is not a 
DHCP message, the frame is accepted in the block 505, which 
performs the task (6) . In an alternative YES3, when the 
frame is a DHCP message, the frame is checked in a block 510 

35 performing a task (8) . This task includes a question whether 
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the DHCP message originates from a valid DHCP server, i.e. 
is a server that is stored in the list Ll. In an alternative 
N04 the server is not valid and the frame is discarded in a 
block 511 performing the task (5) . In another alternative 
5 YES4 the server is valid and a check is performed in a block 
512 performing a task (9) . The check includes a question 
whether the frame is a DHCP acknowledge message. In an 
alternative N05, when the frame is not an acknowledge 
message, the frame is accepted in the block 505, In an 

10 opposite alternative YES5 the frame is an acknowledge 
message. It is then handled in a block 513 performing a task 
(10). This task includes that the layer 3 IP address and the 
lease time interval are added in the database 7. Then the 
information about the layer 2 suorce MAC address, the layer 

15 3 IP address, the port identification, the lease time 
interval and the virtual LAN identification for the 
subscriber are inserted in the table TAB1. The frame is then 
accepted, task (6) in the block 505. 

In figure 2 it is denoted which parts of the switch 5 that 
20 performs the different tasks. The IP filter 9 performs the 
task (1) of receiving an incoming frame, the task (4) 
concerning frame source information, the task (5) handling 
discarding of frames, the task (6) of accepting a frame, the 
task (8) handling the question of valid DHCP server and the 
25 task (10) of inserting values in the filter table TAB1. The 
classifier 10 performs the task (2) of checking from where 
the frames come, the task (3) of checking whether a frame is 
a DHCP message from a subscriber, the task (7) of checking 
whether a frame is a DHCP message from the core network and 
30 the task (9) whether a frame is an acknowledge message. 

In connection with figure 1 it was briefly described the 
processes when the subscriber 6 gets the IP address IP1 and 
then sends a message. First the process of getting the 
address will be more closely described in connection with 
35 figure 5. 
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The subscriber 6 sends a DHCP discovery message Ml which is 
received by the switch 5 according to the block 501 ,task 
(1). In the block 502, task (2), the origin of the message 
Ml is checked and according to the alternative 503 the port 
PI is decided. According to the block 504, task (3) and the 
alternative YES1, the message Ml is a DHCP message that is 
accepted in the block 505, task (6) and is forwarded to the 
core network 2 . 

One or more of the DHCP servers 4, 4a, 4b returns each a 
DHCP offer message M2 with an offered IP address. According 
to the block 501, task (1), the message M2 is received and 
in the block 502, task (2), its origin is checked. The port 
PN is decided according to the alternative 508 and in the 
block 509, task (7), and the alternative YES3 it is noted 
that the message M2 is a DHCP message. According to the 
block 510, task (8) and alternative YES4, the DHCP server 4 
is valid. In the block 512, task (9) and alternative N05, 
the message M2 is pointed out not be a DHCP acknowledge 
message and in the block 505, task (6), the DHCP offer 
message M2 is forwarded to the subscriber 6. 

The subscriber 6 now selects one of the offered IP 
addresses, in the embodiment the address IP1 from the server 
4. The subscriber requests for the address IP1 by a DHCP 
request M3 which is received by the switch 5 according to 
the block 501, task (1). In the block 502, task (2), the 
origin of the message M3 is checked and according to the 
alternative 503 the port PI is decided. According to the 
block 504, task (3) and the alternative YESl, the message M3 
is a DHCP message that is accepted in the block 505, task 
(6) and is forwarded to the core network 2. 

The selected one of the DHCP servers, server 4, returnes a 
DHCP acknowledge message M4, confirming the offered IP 
address IP1. According to the block 501, task (1), the 
message M4 is received and in the block 502, task (2) its 
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origin is checked. The port PN is decided according to the 
alternative 508 and in the block 509, task (7), and the 
alternative YES3 it is noted that the message M4 is a DHCP 
messa ge. According to the block 510, task (8) and 

5 alternative YES4, the DHCP server 4 that has sent the 
message M4 is valid. In the block 512, task (9) and 
alternative YES5, the message M4 is pointed out to be a DHCP 
acknowledge message (DHCPACK) . It is then handled in the 
block 513, task (10) by which the information about the 

0 subscriber's layer 2 source MAC address MAC1, the received 
layer 3 IP address IP1, the port identification PI, the 
virtual LAN identification VLAN1 and the lease time interval 
Tl are inserted in the table TABl. The message M4 is thereby 
accepted and in the block 505, task (6), the DHCP 

5 acknowledge message M4 is forwarded to the subscriber 6. The 
subscriber now has a valid IP address. 

It should be noted that a subscriber, e.g. the subscriber 6, 
can legitimately use more than one IP address. The 
subscriber makes an agreement with an operator and obtains 
20 in this legitimate way further subscriptions for IP 
addresses. The number of legitimate IP addresses is noted in 
the database 7. The IP addresses themselves are obtained 
from the trusted servers in the same way as the address I Pi 
and are noted in the filter table TABl. 

25 The subscriber 6 now wants to utilize a service from the 
service provider 3 and sends a message M5 in figure 1. 
According to the block 501, task (1), the switch 5 receives 
the message M5. In the block 502, task (2), it is checked 
from where the message M5 comes. In the alternative 503 it 

30 comes on the subscriber port PI. In the block 504, task (3), 
it is checked whether the message M5 is a DHCP message. As 
it is not so, according to the alternative NOl, it is 
checked in the table TABl, according to the block 506, task 
(4), that the layer 2 source MAC address MACl, the layer 3 

35 IP address IP1, the lease time interval Tl and the the 
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virtual LAN identification VLAN1 are all valid on the actual 
port PI. In the alternative YES2 the information is valid 
and the message M5 is accepted in the block 505, task (6) . 
The message is now forwarded to the service provider 3. 

5 If the subscriber tries to send a frame like the frame FR1 
in figure 4 as a message and uses an invalid IP address IPX 
in the IP header IPH, this is revealed at the check in the 
table TAB1. According to the alternative N02 the frame FR1 
is then discarded in block 507, task (5) . It was mentioned 

10 above that one problem is how to prevent the subscribers, 6 
and 6A, to make a great number of such attempts, to 
illegitimately use IP addresses. This problem is solved by 
including a counter in the task (5) in the IP filter 9. In 
figure 7 a block schematic over such a counter CI is shown. 

15 The counter has fields 71, 72, 73 in which are written the 
respective subscriber ports PI, P2 and P3 and corresponding 
number n of false attempts, i.e. attempts with invalid IP 
addresses. It also has a comparison element 79 in which is 
written a number N of allowed false attempts. In the example 

20 the subscriber 6 on port PI has made one false attempt. When 
the frame with the invalid address is discarded, a message 
Fl is sent to the counter CI, field 71 for the port PI. In 
this field is set n=l, which is compared to N=10, resulting 
in no action. The subscriber 6A on the port P2 has made n=ll 

25 false attempts. As this number exceeds the allowed number 
N=10 a warning message Wl is generated. 

In figure 8 is shown a flow chart for an alternative 
embodiment of the procedures in the switch 5. In a block 801 
the switch receives an incoming frame and this task is, as 

30 above, denoted by (1) in the block. In a block 802 a task 
(7b) is performed, including checking whether the frame is a 
DHCP frame. If it isn't according to an alternative N06, the 
task (4) is performed in a block 803. This task includes the 
check whether the frame source information is valid and is 

35 performed with the aid of the table TAB1 in the filter 9. If 
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the frame source information is invalid, according to an 
alternative N07, the frame is discarded in a block 804 
performing the task (5) . If instead the frame source 
information is valid, according to an alternative YES7, the 
5 frame is accepted by the task (6) performed in a block 805. 
If it is found in the block 802 that the incoming frame is a 
DHCP frame, alternative YES6, the task (7b) includes the 
check from which type of port the frame comes. In an 
alternative 806 the DHCP frame comes on one of the 

10 subscriber ports PI, P2, P3 and is then accepted in the 
block 805. In an alternative 807 the DHCP frame instead 
comes on the uplink port PN. It is then checked in a block 
808 by the task (8), the list LI, whether the DHCP frame 
originates from a valid DHCP server. In an alternative N08 

15 the server is not valid and the frame is discarded in a 
block 809, performing the task (5) . In an alternative YES8 
the server is found to be valid and a check is performed by 
the task (9) in a block 810. The check includes the question 
whether the frame is a DHCP acknowledge message. If it isn't 

20 according to an alternative N09, the frame is accepted in a 
block 811, performing the task (6) . In an opposite 
alternative YES9 the frame is a DHCP acknowledge frame and 
is then handled in a block 812, performing the task (10) . 
This task includes that the layer 3 IP address and the lease 

25 time interval are added in the database 7. Then the 
information about the layer 2 suorce MAC address, the layer 
3 IP address, the port identification, the lease time 
interval and the virtual LAN identification for the 
subscriber are inserted in the table TAB1. The frame is then 

30 accepted, task (6) in the block 811. 

The process when the subsciber 6 gets an IP address will be 
described very briefly in connection with figure 8. In the 
discovery phase the discovery message Ml is received in 
block 801 and is found to be a DHCP message in block 802. 
35 Acording to the alternative 806 it is found to come from the 
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subscriber and the message Ml is accepted in block 805. The 
DHCP offer message M2 from the DHCP servers is received in 
block 801, found to be a DHCP message in block 802 and found 
to be a response message according to the alternative 807. 
5 The DHCP server is a valid one according to block 808, the 
message M2 is no acknowledge message, block 810 and is 
accepted in block 811 and forwarded to the subscriber 6. The 
latter selects the address IP1 and requests it by the 
message M3, which is received in block 801. In block 802 it 

10 is noted as a DHCP message which comes from the subscriber, 
alternative 806, and is accepted in block 805. The server 
gets the message M3 and returnes the acknowledge message M4 . 
In block 801 the message M4 is received, is found to be a 
DHCP message in block 802 and to be a response message, 

15 alternative 807. The message source is valid, block 808, and 
the messge M4 is found to be an acknowledge message, block 
810 alternative YES9. In block 812 the address IP1 and its 
lease time interval Tl are added in the database 7 and the 
table TAB1 in the IP filter 9 is filled in. The message M4 

20 is accepted, block 811, and the subscriber 6 gets the 
address and its lease time interval Tl. The subscriber 6 has 
a valid IP address. 

When the subscriber 6 sends the message M5 to the service 
provider 3, the message is received in block 801 and is 
25 found not to be a DHCP message, block 802 alternative N06. 
The frame source information is then checked in block 803 
with the aid of the table TAB1 in the filter 9. If valid, 
alternative YES7, the message M5 is accepted and is sent to 
the addressee. 



30 



10/531753 



WO 2004/042999 



PCT/SE2002/002021 



1/5 



MAC1 6 

6a Nr ^ 



MAC 2 



DHCP 
Server 



Ml M3 M5 



VLANl 



PI 



P2-^ 



P3 




9 Switch 
IP Filter 7 



Switch ^- 8 
Engine 



Database 




Fig. 1 

SUBSTITUTE SHEET (RULE 26) 



WO 2004/042999 



10/531753 



PCT/SE2002/002O21 



2/5 



P2^ 




4- 











(1). (4), (5) 
(6), (8), (10) 



TAB1 





Fig. 2 



31^ 


Subscriber 


MAC1 


MAC 2 


32-V 


Port no. 


PI 


P2 


33^ 


VLAN identity 


VLAN1 


VLAN2 


34^ 


IP addess 


IP1 


IP2 


35^- 


Lease time 


Tl 


T2 



TAB! 



Fig. 3 

SUBSTITUTE SHEET (RULE 26) 



WO 2004/042999 



PCT/SE2002/002021 



3/5 



501 



Incoming frame (1) 



Check source link type (2) 



508 



504->^ \ YES1 N03 
DHCP 
message? 

NOl \(3) 



506 



N02 



Valid 
source info? 

(4) 



YES2 



507 



Discard 
frame 

(5) 



505^ 



509 YES3 
DHCP \T) 

message? v f 



510 

YES4 ^ \ N04 
Valid 

source IP? 
(8) 




Discard 
frame (5) 



YES5 



513 



Insert source info 
in table (10) 



I 



Accept frame (6) 



Fig. 5 

SUBSTITUTE SHEET (RULE 26) 



10/531753 



WO 2004/042999 



PCT/SE2002/002021 



4/5 



Dest 



FRl 



Source 



Type 



VLAN 



Type 



Header 



V T Y2^VL1 ^TYl 

Fig. 4 



Dl 



SI 



61, 
63, 



Fl 71 



72 



73 



79 



IPH 



EPL1 



4 


IP4 


4a 


IP4a 


4b 


IP4b 










Fig. 6 


pi 


n=l 


P2 


n=ll 


P3 


n=0 










N=10 



LI 



ci 



r-wi 
Fig. 7 

SUBSTITUTE SHEET (RULE 26) 



10/531755 



WO 2004/042999 



PCT/SE2002/002021 



5/5 



801 



Incoming frame (1) 



807' 



YES6 ^ ^^<r802 N06 
DHCP 

message? J " 



808' 

Valid 
source IP? 

N08 \ ( 8 ) 



809 



Discard 
frame (5) 



803 



YES7 



N07 



L 




805 



r 



804 



Accept 
frame (6) 



Discard 
frame (5) 




YES9 



1 



812 



Insert source info 
in table (10) 



811 



Accept frame (6) 



Fig. 8 

SUBSTITUTE SHEET (RULE 26) 



This Page is Inserted by IFW Indexing and Scanning 
Operations and is not part of the Official Record 

BEST AVAILABLE IMAGES 

Defective images within this document are accurate representations of the original 
documents submitted by the applicant. 

Defects in the images include but are not limited to the items checked: 

□ BLACK BORDERS 

□ IMAGE CUT OFF AT TOP, BOTTOM OR SIDES 
□^FADED TEXT OR DRAWING 
^Tblurred OR ILLEGIBLE TEXT OR DRAWING 

□ SKEWED/SLANTED IMAGES 

□ COLOR OR BLACK AND WHITE PHOTOGRAPHS 

□ GRAY SCALE DOCUMENTS 



Q'line 



iES OR MARKS ON ORIGINAL DOCUMENT 
£j REFERENCED) OR EXHD3IT(S) SUBMITTED ARE POOR QUALITY 
□ OTHER: 

IMAGES ARE BEST AVAILABLE COPY. 
As rescanning these documents will not correct the image 
problems checked, please do not report these problems to 
the IFW Image Problem Mailbox. 



